How Much Is Your Credit Card Information Worth?

The answer, according to the BBC, is “as little as ?ú2” ($3.2), which is the amount for which dozens of websites are selling the credit card information of millions of victims of identity theft. The British broadcaster reports that 36 of these sites have been taken down and three men arrested as part of an organized police operation on three continents.

That is good news and I wish we heard about such success stories more often than we do. But there is another side of the story that I found somewhat disturbing. The BBC piece tells us that the operation that culminated in the arrests and website closures lasted for two years. During that time, we are told, the police were able to prevent fraud worth at least ?ú500 million ($809 million). However, the sites were fully operational throughout the surveillance period and were presumably making sales and getting paid. It is unclear how the information sold in these transactions may have been prevented from being transferred to the buyers. So I couldn’t help but wonder why the offending websites weren’t being shut down on discovery and all efforts made to identify and arrest their owners. Of course, as the BBC reminds us, doing so is not exactly trivial, but I don’t think it’s impossible.

How Your Credit Card Is Obtained and Sold

The BBC tells us that the collecting and selling of credit card data has become a quite straightforward process that is now being applied on an “industrial scale”. Here is the broad outline of such an operation:

[T]raditional “bedroom” hackers were being recruited by criminal gangs to write the malware or “phishing” software that steals personal information.

Other IT experts are used to write the computer code that enables the websites to cope, automatically, with selling the huge amounts of data.

And the amounts of stolen data on the market are truly enormous. During the course of the two-year operation in question, the police were able to recover the information of about two-and-a-half million credit cards. According to another report — by British newspaper the Independent — websites were selling stolen card details for between ?ú0.04 ($0.065) and ?ú60 ($97) per card, affording scammers a “comfortable living”.

Why Are Criminal Websites not Shut Down?

A website selling credit card information is as criminal as they come and a court order for shutting it down should be easy to obtain. So why did the authorities have to wait for two years before they did so? Here is the reason given by Graham Cluley of internet security firm Sophos in an interview with the Independent and I suspect the police would have said much the same:

The authorities have shut down 36 websites but it is difficult to know how many other people had access to that data. They could spring back up somewhere else if a gang is not eradicated completely.

I don’t buy this reasoning. First of all, how do you ensure that a gang is eradicated completely when it is difficult to know how many people had access to the data? At what point do you decide that you know everything and everyone you need to know to make a move and start arresting people? Moreover, as this is a very lucrative market, taking down one criminal organization will not solve anything, as there will be plenty of competitors willing and able to fill the void. So a complete eradication is a rather illusory goal.

What the authorities should be doing instead, even as they are going after the criminal enterprises, is to be closing down the offending websites and cracking down hard on the companies that are hosting them. If the criminals have nowhere to sell the stolen data, they can’t do much damage. But getting web hosts to cooperate is difficult, the head of Britain’s Serious Organized Crime Agency (SOCA) is telling us, as quoted by the BBC:

What we are trying to do is influence the industry to introduce more secure systems so they do know who is registering these sites and they have a more comprehensive customer database, and do more aimed at preventing criminals buying websites and using them for criminal ends.

Well, I don’t think that attempts at influencing the industry will get it done. The authorities need to get more serious about fighting this type of crime.

The Takeaway

What will get the job done is closing down websites selling credit card data and imposing a fine on Internet Service Providers (ISPs) for hosting an offending site. It doesn’t have to be a huge fine either, but once you start doing that, the ISPs will quickly begin policing their customers for you. If the ISP is operating outside of your jurisdiction and refuses to comply with your demands, block all of its websites. If you don’t know how to do that, ask the Chinese. I don’t think there are many people who would agree to have their websites hosted by a company whose servers are blocked in the U.S., U.K., Europe, Australia and eventually many other countries, whose politicians will feel compelled to join the blockade. After all, no government will want to be seen by its citizens and abroad as aiding and abetting cyber criminals.

Taking down websites does not solve the problem, because the stolen credit card numbers are still out there and the criminals can still sell them. To solve it, these accounts need to be deactivated, so you first need to get your hands on the information.

Good job tracking down these criminals! I don’t agree with your criticism, closing down websites by itself will not do much. We need to make sure that we get to the people who steal the information and lock them up.